The tcpdump command in Linux: capturing network traffic

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

tcpdump is a powerful and versatile command-line tool that allows capturing and analyzing network traffic in real time on Linux systems. Its ability to apply detailed filters makes it an indispensable ally for system administrators, network engineers, and security professionals who need to diagnose problems, monitor activity, or investigate incidents.

What is tcpdump?

Originally developed in 1988, tcpdump is part of the libpcap packet capture suite. Operating at the data link layer, it can intercept packets before they reach the operating system’s network layer, providing a raw, unprocessed view of what is happening on the network interface.

Installation

In most modern distributions, tcpdump comes pre-installed. If it is not available, it can be easily installed via the package manager:

  • Debian/Ubuntu: sudo apt-get update && sudo apt-get install tcpdump
  • Red Hat/CentOS: sudo yum install tcpdump
  • Fedora: sudo dnf install tcpdump
  • Arch Linux: sudo pacman -S tcpdump

Basic Syntax

The general format of the command is:

tcpdump [options] [filter expression]

Some of the most used options are:

  • -i interface: specifies the network interface (e.g., eth0, wlan0).
  • -c number: limits the capture to a certain number of packets.
  • -w file: writes the captured packets to a file in pcap format.
  • -r file: reads a previously saved pcap file.
  • -n: avoids host name resolution and shows numeric IP addresses.
  • -vv, -vvv: increases the verbosity level.

Common Examples

Below are some practical examples illustrating typical tcpdump usage:

  • Capture all traffic on an interface:
    sudo tcpdump -i eth0
  • Limit to 100 packets and display in readable format:
    sudo tcpdump -i eth0 -c 100 -n
  • Filter only HTTP traffic (port 80):
    sudo tcpdump -i eth0 port 80
  • Show SSH packets (port 22) with name resolution disabled:
    sudo tcpdump -i eth0 port 22 -n
  • Save a capture for later analysis:
    sudo tcpdump -i eth0 -w capture.pcap

Advanced Filters

The filter expression follows the Berkeley Packet Filter (BPF) syntax. Some examples of more complex filters:

  • tcpdump -i eth0 src host 192.168.1.10: shows packets whose source is IP 192.168.1.10.
  • tcpdump -i eth0 dst port 443 and tcp[tcpflags] & tcp-syn != 0: captures SYN packets toward port 443 (TLS connection initiations).
  • tcpdump -i eth0 net 10.0.0.0/8: filters all traffic within the private network 10.0.0.0/8.
  • tcpdump -i eth0 icmp: shows only ICMP packets (ping, traceroute).

Saving and Reading Captures

The pcap files generated by tcpdump can be analyzed later with the same tool or with utilities such as Wireshark, tshark, or tcpdump itself:

  • Read a file: tcpdump -r capture.pcap
  • Apply filters when reading: tcpdump -r capture.pcap port 80
  • Count packets: tcpdump -r capture.pcap -c 10

To combine capture and filtering in real time, you can use:

sudo tcpdump -i eth0 -w - | tcpdump -r - port 22

Best Practices

  • Run tcpdump with root privileges (or via sudo) because it needs access to the network interface in promiscuous mode.
  • This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .